|
xen-users
Re: [Xen-users] Xen Security
On Friday 16 July 2010 11:24:08 Jonathan Tripathy wrote:
> On Fri, Jul 16, 2010 at 3:32 PM, Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
wrote:
> > I'm guessing the same risks apply to Xen as they do
> > VMWare?
>
> in general, yes. As for vendor support, Redhat has been very
> responsive in fixing whatever security bug that comes up (like
> http://www.securitytracker.com/alerts/2009/Oct/1022977.html), so if
> you're concerned about that, I suggest using RHEL/Centos and their
> bundled Xen/kernel-xen version (which might be somewhat old, but
> should be sufficient for most uses).
>
> I also suggest you do whatever security measures you normally do in
> your normal, non-virtual environment. Think of domU as just another
> server, and dom0 as SAN/switch/router/firewall.
>
> For example, if you never bother to rewrite a SAN's LUN with 0s before
> reusing it on another host, then I don't see why you should bother
> writing 0s to an LV that will be used by Xen. Another example, if
> you're comfortable having a single firewall box and switch used by all
> traffic on your network (using vlans), then I don't see why you should
> treat Xen networking differently.
>
> --
> Fajar
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
> -----
>
>
> Hi Fajar,
>
> I am using CentOS 5.5 with the stock Xen kernel that came with it, however
> I'm using Xen 3.4.2 from gitco.de - think this is safe enough?
>
> I'm fairly sure that my network setup is secure. I'm using iptables to
> prevent IP spoofing, and using ebtables to prevent MAC spoofing. A
> firewall DomU (pfsense) has WAN, LAN, DMZ and PUBLIC interfaces. WAN and
> PUBLIC are bridged (For the customers' public VMs). The DMZ subnet only
> allows certain needed incoming ports from the internet (via NAT port
> forwarding), and outbound is also restricted to what's only needed. The
> LAN subnet doesn't allow any incoming ports from the internet. Ports
> between DMZ and LAN are also only open on a "need to" basis. I've been
> told that since my Public and DMZ bridges in the Dom0 have no IP
> addresses, it is impossible for the Dom0 to route traffic between them
> without going through the firewall DomU.
>
> What you think?
>
> Thanks
>
Jonathan, I will "psychologically" shortcut your question :-) : you actually
really want to do this and you need approval by someone of the list. This is
not a good way to handle this matter. Think of the consequences of a security
breach, then think about the expenses to avoid this and then come to a
conclusion. What you are doing is bottom-up: you have your infrastructure and
you wonder if you can bend it in such a way it will give you peace of mind.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- RE: [Xen-users] Xen Security, (continued)
Re: [Xen-users] Xen Security, Iustin Pop
- Re: [Xen-users] Xen Security, Jonathan Tripathy
- Re: [Xen-users] Xen Security, Simon Hobson
- RE: [Xen-users] Xen Security, Jonathan Tripathy
- Re: [Xen-users] Xen Security, Fajar A. Nugraha
- RE: [Xen-users] Xen Security, Jonathan Tripathy
- Re: [Xen-users] Xen Security,
Bart Coninckx <=
- RE: [Xen-users] Xen Security, Jonathan Tripathy
- Re: [Xen-users] Xen Security, Bart Coninckx
- RE: [Xen-users] Xen Security, Jonathan Tripathy
- Re: [Xen-users] Xen Security, Bart Coninckx
- RE: [Xen-users] Xen Security, Jonathan Tripathy
- Re: [Xen-users] Xen Security, Bart Coninckx
Re: [Xen-users] Xen Security, Fajar A. Nugraha
RE: [Xen-users] Xen Security, Jonathan Tripathy
Re: [Xen-users] Xen Security, ABPNI
Re: [Xen-users] Xen Security, Fajar A. Nugraha
|
|
|
Home